The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.
Two-factor authentication is a method of confirming a user's claimed identity by utilizing a combination of two different components, or two different factors. These factors may be something that the user knows and something that the user possesses. The use of two-factor authentication to prove one's identity is based on the premise that an unauthorized actor is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the factors is missing or supplied incorrectly, the user's identity is not established with sufficient certainty, and access to an asset, such as a building or data, being protected by two-factor authentication then remains blocked. One example is the withdrawing of money from a cash machine. Only the correct combination of a bank card, that the user possesses, and a PIN, a personal identification number that the user knows, allows the transaction to be carried out.
A major drawback of two-factor authentication is that the factor that the user possesses, such as a bank card or a universal serial bus (USB) stick, must be carried around by the user at all times. Mobile device two-factor authentication was developed to avoid this issue. This approach uses mobile devices such as mobile phones and wearable computers to serve as the something that the user possesses. If users want to authenticate themselves, they can use their personal access license, something that only the individual user knows, plus a one-time-valid, dynamic passcode consisting of digits. The passcode can be sent to their mobile device by SMS (short message service) or via a special application. The advantage of this method is that there is no need for an additional, dedicated factor, as users tend to carry their mobile devices around at all times anyway. Some two-factor authentication solutions also ensure that there is always a valid passcode available for users. If a user has already used a passcode, this passcode is automatically deleted and the system sends a new passcode to the mobile device. And if the new passcode is not entered within a specified time limit, the system automatically replaces it. This ensures that no old, already used passcodes are left on mobile devices.
Security of the mobile-delivered security tokens fully depends on the mobile operator's operational security, and can be easily breached by wiretapping. Text messages to mobile devices using SMS are insecure and can be intercepted, such that a passcode can thus be stolen and used by third parties. The mobile device must be kept in range of a cellular network whenever authentication is necessary, such that access may be impossible if the mobile device is unable to display messages. Text messages may not be delivered instantly, adding additional delays to the authentication process. Since modern mobile phones are used for receiving email and SMS, with email usually always logged in, if a mobile phone is lost or stolen, all accounts for which the email is the key can be hacked because the mobile phone can receive the second factor. Since mobile phones combine the two factors into one factor, stolen mobile phones can potentially allow a thief to gain access into the user's accounts.